Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample Name: | file.exe |
| Analysis ID: | 736956 |
| MD5: | 9156fa044ec274f670095e43e205d137 |
| SHA1: | 62107d1bd3cb01d59924433f1c8a97c7096d5fb7 |
| SHA256: | 861751b8c762f3332f12c1f4ff45c3108357b1debbde2a07a5e9d44e806ce88d |
| Tags: | exe |
| Infos: |  |
 | |
Detection
Nymaim
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
file.exe (PID: 5676 cmdline: C:\Users\u ser\Deskto p\file.exe MD5: 9156FA044EC274F670095E43E205D137) - is-SQE6E.tmp (PID: 5624 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-VVS 8D.tmp\is- SQE6E.tmp" /SL4 $302 24 "C:\Use rs\user\De sktop\file .exe" 2630 911 52736 MD5: 7CD12C54A9751CA6EEE6AB0C85FB68F5) 
fnsearcher68.exe (PID: 3080 cmdline: "C:\Progra m Files (x 86)\fnSear cher\fnsea rcher68.ex e" MD5: 3FCA96750E2F656A73FBC6A896F53209) 
0JzI2az.exe (PID: 4556 cmdline: MD5: 3FB36CB0B7172E5298D2992D42984D06) 
cmd.exe (PID: 4392 cmdline: "C:\Window s\System32 \cmd.exe" /c taskkil l /im "fns earcher68. exe" /f & erase "C:\ Program Fi les (x86)\ fnSearcher \fnsearche r68.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3328 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 4692 cmdline:
taskkill / im "fnsear cher68.exe " /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
{"C2 addresses": ["45.139.105.1", "85.31.46.167"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | URL Reputation: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 1_2_0045A060 | |
| Source: | Code function: | 1_2_0045A114 | |
| Source: | Code function: | 1_2_0045A12C | |
| Source: | Code function: | 2_2_00403770 | |
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_0046E2D4 | |
| Source: | Code function: | 1_2_0047694C | |
| Source: | Code function: | 1_2_00450EA4 | |
| Source: | Code function: | 1_2_0045E738 | |
| Source: | Code function: | 1_2_00474BD0 | |
| Source: | Code function: | 1_2_0045EBB4 | |
| Source: | Code function: | 1_2_0045D1B4 | |
| Source: | Code function: | 1_2_0048D260 | |
| Source: | Code function: | 2_2_00404490 | |
| Source: | Code function: | 2_2_004241DD | |
| Source: | Code function: | 2_2_1000959D | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 2_2_00401B30 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | Binary or memory string: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0040914C | |
| Source: | Code function: | 0_2_00409180 | |
| Source: | Code function: | 1_2_004536F0 | |
| Source: | Code function: | 0_2_004081A8 | |
| Source: | Code function: | 1_2_0043D2D0 | |
| Source: | Code function: | 1_2_004777A8 | |
| Source: | Code function: | 1_2_00461C80 | |
| Source: | Code function: | 1_2_00469F50 | |
| Source: | Code function: | 1_2_00458180 | |
| Source: | Code function: | 1_2_00430454 | |
| Source: | Code function: | 1_2_004446E8 | |
| Source: | Code function: | 1_2_004348B0 | |
| Source: | Code function: | 1_2_00444AF4 | |
| Source: | Code function: | 1_2_0047CC54 | |
| Source: | Code function: | 1_2_0045B078 | |
| Source: | Code function: | 1_2_00413202 | |
| Source: | Code function: | 1_2_004832E4 | |
| Source: | Code function: | 1_2_0042F9F8 | |
| Source: | Code function: | 1_2_00443A48 | |
| Source: | Code function: | 1_2_00433BAC | |
| Source: | Code function: | 1_2_00463C84 | |
| Source: | Code function: | 2_2_00404490 | |
| Source: | Code function: | 2_2_004056A0 | |
| Source: | Code function: | 2_2_00406800 | |
| Source: | Code function: | 2_2_00409A10 | |
| Source: | Code function: | 2_2_00406AA0 | |
| Source: | Code function: | 2_2_00404D40 | |
| Source: | Code function: | 2_2_00405F40 | |
| Source: | Code function: | 2_2_00402F20 | |
| Source: | Code function: | 2_2_0042B06A | |
| Source: | Code function: | 2_2_00422038 | |
| Source: | Code function: | 2_2_004290E9 | |
| Source: | Code function: | 2_2_00415486 | |
| Source: | Code function: | 2_2_004156B8 | |
| Source: | Code function: | 2_2_00422759 | |
| Source: | Code function: | 2_2_00404840 | |
| Source: | Code function: | 2_2_004198C0 | |
| Source: | Code function: | 2_2_00426C00 | |
| Source: | Code function: | 2_2_00447D2D | |
| Source: | Code function: | 2_2_00410E00 | |
| Source: | Code function: | 2_2_0042AF4A | |
| Source: | Code function: | 2_2_00404F20 | |
| Source: | Code function: | 2_2_1000F670 | |
| Source: | Code function: | 2_2_1000EC61 | |
| Source: | Code function: | 1_2_0042EBCC | |
| Source: | Code function: | 1_2_00423B68 | |
| Source: | Code function: | 1_2_004125BC | |
| Source: | Code function: | 1_2_00454CF8 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Dropped File: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040914C | |
| Source: | Code function: | 0_2_00409180 | |
| Source: | Code function: | 1_2_004536F0 | |
| Source: | WMI Queries: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00401B30 | |
| Source: | File read: | Jump to behavior | ||
| Source: | Code function: | 2_2_00402BF0 | |
| Source: | Code function: | 2_2_00405350 | |
| Source: | Mutant created: | ||
| Source: | Code function: | 0_2_004098C8 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Command line argument: | 2_2_00409A10 | |
| Source: | Command line argument: | 2_2_00409A10 | |
| Source: | Command line argument: | 2_2_00409A10 | |
| Source: | Command line argument: | 2_2_00409A10 | |
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_0040654D | |
| Source: | Code function: | 0_2_004040F1 | |
| Source: | Code function: | 0_2_00404389 | |
| Source: | Code function: | 0_2_00404389 | |
| Source: | Code function: | 0_2_0040C219 | |
| Source: | Code function: | 0_2_00404389 | |
| Source: | Code function: | 0_2_00404389 | |
| Source: | Code function: | 0_2_00408C7B | |
| Source: | Code function: | 0_2_00407EA5 | |
| Source: | Code function: | 1_2_00409919 | |
| Source: | Code function: | 1_2_0040A024 | |
| Source: | Code function: | 1_2_004062C5 | |
| Source: | Code function: | 1_2_00430459 | |
| Source: | Code function: | 1_2_0047A7A2 | |
| Source: | Code function: | 1_2_004106B9 | |
| Source: | Code function: | 1_2_0045076B | |
| Source: | Code function: | 1_2_00412967 | |
| Source: | Code function: | 1_2_004429C4 | |
| Source: | Code function: | 1_2_00456DAC | |
| Source: | Code function: | 1_2_0045AD75 | |
| Source: | Code function: | 1_2_0040D00E | |
| Source: | Code function: | 1_2_004054C1 | |
| Source: | Code function: | 1_2_00405759 | |
| Source: | Code function: | 1_2_0040F56E | |
| Source: | Code function: | 1_2_00405759 | |
| Source: | Code function: | 1_2_00405759 | |
| Source: | Code function: | 1_2_00405759 | |
| Source: | Code function: | 1_2_0047BC5D | |
| Source: | Code function: | 1_2_00419C11 | |
| Source: | Code function: | 2_2_004311B6 | |
| Source: | Code function: | 2_2_0040F87E | |
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_0044A890 | |
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Code function: | 1_2_00423BF0 | |
| Source: | Code function: | 1_2_00423BF0 | |
| Source: | Code function: | 1_2_0047A09C | |
| Source: | Code function: | 1_2_00424178 | |
| Source: | Code function: | 1_2_004241C0 | |
| Source: | Code function: | 1_2_00418368 | |
| Source: | Code function: | 1_2_00422840 | |
| Source: | Code function: | 1_2_0041757C | |
| Source: | Code function: | 1_2_00417CB2 | |
| Source: | Code function: | 1_2_00417CB4 | |
| Source: | Code function: | 1_2_0044A890 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-4956 | ||
| Source: | Last function: | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Check user administrative privileges: | graph_2-35284 | ||
| Source: | Code function: | 2_2_004056A0 | |
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040980C | |
| Source: | Code function: | 1_2_0046E2D4 | |
| Source: | Code function: | 1_2_0047694C | |
| Source: | Code function: | 1_2_00450EA4 | |
| Source: | Code function: | 1_2_0045E738 | |
| Source: | Code function: | 1_2_00474BD0 | |
| Source: | Code function: | 1_2_0045EBB4 | |
| Source: | Code function: | 1_2_0045D1B4 | |
| Source: | Code function: | 1_2_0048D260 | |
| Source: | Code function: | 2_2_00404490 | |
| Source: | Code function: | 2_2_004241DD | |
| Source: | Code function: | 2_2_1000959D | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 2_2_0041371B | |
| Source: | Code function: | 2_2_00402BF0 | |
| Source: | Code function: | 1_2_0044A890 | |
| Source: | Code function: | 2_2_00402F20 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 2_2_0044028F | |
| Source: | Code function: | 2_2_004207CF | |
| Source: | Code function: | 2_2_004429E7 | |
| Source: | Code function: | 2_2_00417F5F | |
| Source: | Code function: | 2_2_100091C7 | |
| Source: | Code function: | 2_2_10006CE1 | |
| Source: | Code function: | 2_2_0040FB39 | |
| Source: | Code function: | 2_2_0041371B | |
| Source: | Code function: | 2_2_0040F9A5 | |
| Source: | Code function: | 2_2_0040EF82 | |
| Source: | Code function: | 2_2_10006180 | |
| Source: | Code function: | 2_2_100035DF | |
| Source: | Code function: | 2_2_10003AD4 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 1_2_00459ACC | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_0040515C | |
| Source: | Code function: | 0_2_004051A8 | |
| Source: | Code function: | 1_2_00408500 | |
| Source: | Code function: | 1_2_0040854C | |
| Source: | Code function: | 2_2_00404D40 | |
| Source: | Code function: | 2_2_0042714F | |
| Source: | Code function: | 2_2_004273F1 | |
| Source: | Code function: | 2_2_0042743C | |
| Source: | Code function: | 2_2_004274D7 | |
| Source: | Code function: | 2_2_00427562 | |
| Source: | Code function: | 2_2_0041E6AF | |
| Source: | Code function: | 2_2_004277B5 | |
| Source: | Code function: | 2_2_004278DB | |
| Source: | Code function: | 2_2_004279E1 | |
| Source: | Code function: | 2_2_00427AB0 | |
| Source: | Code function: | 2_2_0041EBD1 | |
| Source: | Code function: | 2_2_0043E835 | |
| Source: | Code function: | 1_2_0045604C | |
| Source: | Code function: | 0_2_004026C4 | |
| Source: | Code function: | 0_2_00405C44 | |
| Source: | Code function: | 1_2_00453688 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Access Token Manipulation | 1 Disable or Modify Tools | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
| Default Accounts | 3 Native API | Boot or Logon Initialization Scripts | 13 Process Injection | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 1 Input Capture | Exfiltration Over Bluetooth | 2 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | 2 Command and Scripting Interpreter | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 23 Software Packing | NTDS | 25 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 2 Masquerading | LSA Secrets | 14 Security Software Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Access Token Manipulation | Cached Domain Credentials | 3 Process Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | 13 Process Injection | DCSync | 11 Application Window Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 3 System Owner/User Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 17% | ReversingLabs | Win32.Trojan.Generic |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML | |||
| 0% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 2% | ReversingLabs | |||
| 3% | Metadefender | Browse | ||
| 0% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 2% | ReversingLabs | |||
| 4% | Metadefender | Browse | ||
| 8% | ReversingLabs | |||
| 3% | Metadefender | Browse | ||
| 38% | ReversingLabs | Win32.Trojan.Generic |
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Crypt.XPACK.Gen8 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | HEUR/AGEN.1250671 | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 100% | URL Reputation | malware | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown | |
| false |
| unknown | |
| false |
| unknown | |
| false |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 45.139.105.171 | unknown | Italy | 33657 | CMCSUS | false | |
| 45.139.105.1 | unknown | Italy | 33657 | CMCSUS | true | |
| 85.31.46.167 | unknown | Germany | 43659 | CLOUDCOMPUTINGDE | true | |
| 107.182.129.235 | unknown | Reserved | 11070 | META-ASUS | false | |
| 171.22.30.106 | unknown | Germany | 33657 | CMCSUS | false |
| Joe Sandbox Version: | 36.0.0 Rainbow Opal |
| Analysis ID: | 736956 |
| Start date and time: | 2022-11-03 12:30:23 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 10m 59s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | file.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 18 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal96.troj.evad.winEXE@12/31@0/5 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 12:33:55 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 45.139.105.171 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| CMCSUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| C:\Program Files (x86)\fnSearcher\is-6KAKC.tmp | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 356 |
| Entropy (8bit): | 4.884558011565004 |
| Encrypted: | false |
| SSDEEP: | 6:AySGO4KS/x4L8ThcSRFLk6XDuwOyoExvWmFuQUqvJrdt6YAhlAjyIDHAUXV4:Ayf3WPSPLkP/fEFWm/5v3t/byGgH |
| MD5: | 461D6293779BDEF19493C351344F2B71 |
| SHA1: | C441B7DAA5ABF8A2872D55F47585657147451C72 |
| SHA-256: | 0C2BD3D1AEB04523291BC72424C802E36C1733E0B72FA775B9DD0A4E9CADE263 |
| SHA-512: | D41DBDF10A61CEDE90D68F1F7E351D9DA441026F7CF9C12AB6ADA017B185455DDBFED74760A3DD3D67ED10A9B1915E79F6ACFF70850B626C68CB1E2B22FC9C25 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 272134 |
| Entropy (8bit): | 6.156729185977344 |
| Encrypted: | false |
| SSDEEP: | 6144:TNKofL3cEjxCryOOYJH+8a1anwxrcSOQmlBkO+kKo:TNNzsEjxCryOOYvbnwxrcewf+1o |
| MD5: | 8E46BE5A4155710361181E3B67373404 |
| SHA1: | 18A19A04DD6E4BFE6731E6978F2CB295E1C52174 |
| SHA-256: | 32AB0D1DF26B0DCFE78D393A1F2534D1DAA5BABC6980017303ED925682CE19D0 |
| SHA-512: | 5497EEF00048125D67551FBF22747654D97903F0622830299792159DC8532013191FB006A832E7CE2B4383EE2EC67B7B7C1D06C25CF34EEB118D050AC89DC3B7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | modified |
| Size (bytes): | 4448253 |
| Entropy (8bit): | 6.264319773505966 |
| Encrypted: | false |
| SSDEEP: | 49152:g6IGeIk/rF+FYh2VSb1+/zSYGxsnlHqeQKkZ7QhrzFJmhO+oCnFWDE:8Lh2kbuOYSilq7KkZ8ShO+vFYE |
| MD5: | 3FCA96750E2F656A73FBC6A896F53209 |
| SHA1: | 34F711F2651D3FBAF639B3A595F9029F6AF7E245 |
| SHA-256: | 65B7C9068EBF98CEC8B955FC2D61D83EBDFA66FC656AB56C160FCE98F1F1B189 |
| SHA-512: | 2813F8E023D1BDDB564F25257909A0AD48C0A984761B2209CC383EC355A7E7B6476A4754549F9702EA420A8176C5A2AEC1732D29A659B12520A6026BCEA8E76B |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 44381 |
| Entropy (8bit): | 4.886111144563166 |
| Encrypted: | false |
| SSDEEP: | 384:zDkO4WdW2OTYn/akuhSm9eDAmWZJ6Sr82Zeo75Y3kpTBLRA6AlEayr:zDEDhSm9aHZ/6A92 |
| MD5: | 1BFCDE2B3D557CFB8B9004055D3A90F5 |
| SHA1: | 678353ADC2CACD12555EF12F5D94FC03CD07707E |
| SHA-256: | A8FBA72D4B1FB03EE40A9472430275499E361BBD74144D9956232EF2FDA0407A |
| SHA-512: | DF9FDB20B2054328431AA5F0D0014D949AF4BE3BFC0CB1E3D77BEDD4626DEEA83FDA259352765C04985087E260EB03FF7B337C1D4D54878EC210EFBEA6A36AD1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 272134 |
| Entropy (8bit): | 6.156729185977344 |
| Encrypted: | false |
| SSDEEP: | 6144:TNKofL3cEjxCryOOYJH+8a1anwxrcSOQmlBkO+kKo:TNNzsEjxCryOOYvbnwxrcewf+1o |
| MD5: | 8E46BE5A4155710361181E3B67373404 |
| SHA1: | 18A19A04DD6E4BFE6731E6978F2CB295E1C52174 |
| SHA-256: | 32AB0D1DF26B0DCFE78D393A1F2534D1DAA5BABC6980017303ED925682CE19D0 |
| SHA-512: | 5497EEF00048125D67551FBF22747654D97903F0622830299792159DC8532013191FB006A832E7CE2B4383EE2EC67B7B7C1D06C25CF34EEB118D050AC89DC3B7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4448253 |
| Entropy (8bit): | 6.264319309636284 |
| Encrypted: | false |
| SSDEEP: | 49152:z6IGeIk/rF+FYh2VSb1+/zSYGxsnlHqeQKkZ7QhrzFJmhO+oCnFWDE:bLh2kbuOYSilq7KkZ8ShO+vFYE |
| MD5: | 799061D3EB45D6E5A60FB66FBA8E305F |
| SHA1: | 53F2740727690A4A3AF3BB1B8CB14A5CDCDDB828 |
| SHA-256: | 6FE6FA5C1C331ED9128A09B8562FEB929095D16AAC2925C2063C465BC4DE252F |
| SHA-512: | 1BACCE17E0738A3DBBFDAD350B3D942A608E829544A3BEBA3A9D6E5E00B294B3F7666CB135EEAB91FCD5D8F4C0E3477001F1FA6D2624EDBCA02FE60801779996 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 683801 |
| Entropy (8bit): | 6.46625841767368 |
| Encrypted: | false |
| SSDEEP: | 12288:akxzRCUn4rP/37YzHXA6/YUKsGjQNw4qpRRpDWowphIxzr:RFRCUn4rP/37YzHXA6QJsoPtIpqxzr |
| MD5: | 10529F95E0E03896C0C969F016E313AA |
| SHA1: | F79547E17C6EAC21781BD3EC267E39C9A8588207 |
| SHA-256: | 40AE4CA142D536558D329DF560CDBE29D2335F0F7E349C26887B3AB411E0F54D |
| SHA-512: | 2B6A51A65735D3AF8E5D9A70A2C7CEDAB2C8920A720B71EACFDBA0ED8FAFCC6ACE7B28951B3953C4762B73B30E823A8A811744E207ACC695C70B8ABC301EF47D |
| Malicious: | true |
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 44381 |
| Entropy (8bit): | 4.886111144563166 |
| Encrypted: | false |
| SSDEEP: | 384:zDkO4WdW2OTYn/akuhSm9eDAmWZJ6Sr82Zeo75Y3kpTBLRA6AlEayr:zDEDhSm9aHZ/6A92 |
| MD5: | 1BFCDE2B3D557CFB8B9004055D3A90F5 |
| SHA1: | 678353ADC2CACD12555EF12F5D94FC03CD07707E |
| SHA-256: | A8FBA72D4B1FB03EE40A9472430275499E361BBD74144D9956232EF2FDA0407A |
| SHA-512: | DF9FDB20B2054328431AA5F0D0014D949AF4BE3BFC0CB1E3D77BEDD4626DEEA83FDA259352765C04985087E260EB03FF7B337C1D4D54878EC210EFBEA6A36AD1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20 |
| Entropy (8bit): | 3.3086949695628416 |
| Encrypted: | false |
| SSDEEP: | 3:IU4n:X4n |
| MD5: | AAA149E55DDAE6393FE099990747DA94 |
| SHA1: | F3011A304194E8AA27E0E29E49F8F2C81EAECDBD |
| SHA-256: | E2C57F46196C1BA3EF69792DEDF532F2A2286BA876E5BB6091C6B173D2E7C5BB |
| SHA-512: | 15121C5C5ECB404BE5E734BE437D744B8FCDB34DDD46D69E5F18CA23E4D74B79B605B9B41973989772432035332D24FFA310F78AF6F44F44C731D416F4A949AB |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 134921 |
| Entropy (8bit): | 6.105680271090377 |
| Encrypted: | false |
| SSDEEP: | 1536:blivjgxiL8DUPKKh1EQ3Zeyo0aIWeTjXV0/KwIhFvyt2M5BH2w:bV4lfptKIW6F0JIzw2M5B1 |
| MD5: | B8ED55BF81883D2BECF23FC020585214 |
| SHA1: | 43F6DE28C98380B2FFBA0B29F381EB8408E6F691 |
| SHA-256: | C63B20B68FABD4DF695389494235345CC95CF7E1826896EE6393F0E402B565DA |
| SHA-512: | E1CB9501575B4CD66AFD6C67BE2AECA1615E9C37C2B37E68A645B21BB6B2CAAE88CAF0EC8BE3513AD72896AB6A870154D17A56F71E50D51581F00C706553B10D |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 356 |
| Entropy (8bit): | 4.884558011565004 |
| Encrypted: | false |
| SSDEEP: | 6:AySGO4KS/x4L8ThcSRFLk6XDuwOyoExvWmFuQUqvJrdt6YAhlAjyIDHAUXV4:Ayf3WPSPLkP/fEFWm/5v3t/byGgH |
| MD5: | 461D6293779BDEF19493C351344F2B71 |
| SHA1: | C441B7DAA5ABF8A2872D55F47585657147451C72 |
| SHA-256: | 0C2BD3D1AEB04523291BC72424C802E36C1733E0B72FA775B9DD0A4E9CADE263 |
| SHA-512: | D41DBDF10A61CEDE90D68F1F7E351D9DA441026F7CF9C12AB6ADA017B185455DDBFED74760A3DD3D67ED10A9B1915E79F6ACFF70850B626C68CB1E2B22FC9C25 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 44011 |
| Entropy (8bit): | 5.026565347530582 |
| Encrypted: | false |
| SSDEEP: | 384:em3cWBnPz+p/zWFHQ1QDGteo75Y3kpTBLRA6AlEayF:emsuQ1WGIZ/6A9U |
| MD5: | 1AE62F00FC368364A2DE668B3299D793 |
| SHA1: | E4E32C3EDC269987E39FDC0883F589CECF9604B4 |
| SHA-256: | F9FF5B54BB1EBEECCC4104A62E32CAB4556DD75A5F76260E720485D5CC39D7E8 |
| SHA-512: | 844F4116FD8FF13B144D6D16DE695F7600283DC0B573CAAB5AE74573301B235AC234CE59D1D30BE8FB8ABBA3DFD27EDF8C53A7E0CD5320C23008B5F354377527 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 51922 |
| Entropy (8bit): | 4.912794307456054 |
| Encrypted: | false |
| SSDEEP: | 384:eA3cWBnPz+p/zWFHQ1Qp0SEW5FRLU+cB9nGog4jy6XFsa0eo75Y3kpTBLRA6AlE8:eAsuQ1IV75knFBV6ahZ/6A9r |
| MD5: | FE7C9C6F6E8F720F886BCC65FA2D9B20 |
| SHA1: | 2775F12A0BABDEE5CEEDB08452EF72732E49F13C |
| SHA-256: | B3F54F1D0C3EA747CC52BAD1B363815B9297088CACDF1398C8CFD7F8054CE2BB |
| SHA-512: | ABBFE43FBE4827C9CEDA8D1FDD3DB3B344E99E0CDC3512E4EF84F965F882BA5E3822A407AC1F974D1986F1CDA645A20C1D00CD16262200FE39574AEFF12F6A1A |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 44011 |
| Entropy (8bit): | 5.026565347530582 |
| Encrypted: | false |
| SSDEEP: | 384:em3cWBnPz+p/zWFHQ1QDGteo75Y3kpTBLRA6AlEayF:emsuQ1WGIZ/6A9U |
| MD5: | 1AE62F00FC368364A2DE668B3299D793 |
| SHA1: | E4E32C3EDC269987E39FDC0883F589CECF9604B4 |
| SHA-256: | F9FF5B54BB1EBEECCC4104A62E32CAB4556DD75A5F76260E720485D5CC39D7E8 |
| SHA-512: | 844F4116FD8FF13B144D6D16DE695F7600283DC0B573CAAB5AE74573301B235AC234CE59D1D30BE8FB8ABBA3DFD27EDF8C53A7E0CD5320C23008B5F354377527 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 51922 |
| Entropy (8bit): | 4.912794307456054 |
| Encrypted: | false |
| SSDEEP: | 384:eA3cWBnPz+p/zWFHQ1Qp0SEW5FRLU+cB9nGog4jy6XFsa0eo75Y3kpTBLRA6AlE8:eAsuQ1IV75knFBV6ahZ/6A9r |
| MD5: | FE7C9C6F6E8F720F886BCC65FA2D9B20 |
| SHA1: | 2775F12A0BABDEE5CEEDB08452EF72732E49F13C |
| SHA-256: | B3F54F1D0C3EA747CC52BAD1B363815B9297088CACDF1398C8CFD7F8054CE2BB |
| SHA-512: | ABBFE43FBE4827C9CEDA8D1FDD3DB3B344E99E0CDC3512E4EF84F965F882BA5E3822A407AC1F974D1986F1CDA645A20C1D00CD16262200FE39574AEFF12F6A1A |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20 |
| Entropy (8bit): | 3.3086949695628416 |
| Encrypted: | false |
| SSDEEP: | 3:IU4n:X4n |
| MD5: | AAA149E55DDAE6393FE099990747DA94 |
| SHA1: | F3011A304194E8AA27E0E29E49F8F2C81EAECDBD |
| SHA-256: | E2C57F46196C1BA3EF69792DEDF532F2A2286BA876E5BB6091C6B173D2E7C5BB |
| SHA-512: | 15121C5C5ECB404BE5E734BE437D744B8FCDB34DDD46D69E5F18CA23E4D74B79B605B9B41973989772432035332D24FFA310F78AF6F44F44C731D416F4A949AB |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 134921 |
| Entropy (8bit): | 6.105680271090377 |
| Encrypted: | false |
| SSDEEP: | 1536:blivjgxiL8DUPKKh1EQ3Zeyo0aIWeTjXV0/KwIhFvyt2M5BH2w:bV4lfptKIW6F0JIzw2M5B1 |
| MD5: | B8ED55BF81883D2BECF23FC020585214 |
| SHA1: | 43F6DE28C98380B2FFBA0B29F381EB8408E6F691 |
| SHA-256: | C63B20B68FABD4DF695389494235345CC95CF7E1826896EE6393F0E402B565DA |
| SHA-512: | E1CB9501575B4CD66AFD6C67BE2AECA1615E9C37C2B37E68A645B21BB6B2CAAE88CAF0EC8BE3513AD72896AB6A870154D17A56F71E50D51581F00C706553B10D |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3779 |
| Entropy (8bit): | 4.4819215691462615 |
| Encrypted: | false |
| SSDEEP: | 48:G1q3HlyMCLBv8lD8zpjxcm5UQoIN6hqkLVO3471IGX0ya3tF7yGl4XKBXD7fDMpp:GUKp8lD8zpHJoIohqYOIhxkNFjKH |
| MD5: | 21BE62ED5593242273AD122E0D982DDB |
| SHA1: | DEADE12912AED05780AAC84A59388EC09DD1B1EF |
| SHA-256: | 3AADFCFF0A5E22977AAE09981CDFB2EA79E33945317F7429A3043B508C23C95C |
| SHA-512: | E805B1A637E3AC023B3864EC65C9C46193B77B9AF53BB8C0AA9B6F24AE3AC44BC15005CB8F2679D331134E710C752528A127E83A796317BDD745EE8214BFD308 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 683801 |
| Entropy (8bit): | 6.46625841767368 |
| Encrypted: | false |
| SSDEEP: | 12288:akxzRCUn4rP/37YzHXA6/YUKsGjQNw4qpRRpDWowphIxzr:RFRCUn4rP/37YzHXA6QJsoPtIpqxzr |
| MD5: | 10529F95E0E03896C0C969F016E313AA |
| SHA1: | F79547E17C6EAC21781BD3EC267E39C9A8588207 |
| SHA-256: | 40AE4CA142D536558D329DF560CDBE29D2335F0F7E349C26887B3AB411E0F54D |
| SHA-512: | 2B6A51A65735D3AF8E5D9A70A2C7CEDAB2C8920A720B71EACFDBA0ED8FAFCC6ACE7B28951B3953C4762B73B30E823A8A811744E207ACC695C70B8ABC301EF47D |
| Malicious: | true |
| Preview: |
| Process: | C:\Program Files (x86)\fnSearcher\fnsearcher68.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 17 |
| Entropy (8bit): | 3.1751231351134614 |
| Encrypted: | false |
| SSDEEP: | 3:nCmxEl:Cmc |
| MD5: | 064DB2A4C3D31A4DC6AA2538F3FE7377 |
| SHA1: | 8F877AE1873C88076D854425221E352CA4178DFA |
| SHA-256: | 0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0 |
| SHA-512: | CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\fnSearcher\fnsearcher68.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\fnSearcher\fnsearcher68.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\fuckingdllENCR[1].dll 
Download File
| Process: | C:\Program Files (x86)\fnSearcher\fnsearcher68.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 94224 |
| Entropy (8bit): | 7.998072640845361 |
| Encrypted: | true |
| SSDEEP: | 1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0 |
| MD5: | 418619EA97671304AF80EC60F5A50B62 |
| SHA1: | F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6 |
| SHA-256: | EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4 |
| SHA-512: | F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\fnSearcher\fnsearcher68.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\fnSearcher\fnsearcher68.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3584 |
| Entropy (8bit): | 4.012434743866195 |
| Encrypted: | false |
| SSDEEP: | 48:iAnz1hEU3FR/pmqBl8/QMCBaquEMx5BCwSS4k+bkguj0K:pz1eEFNcqBC/Qrex5MSKD |
| MD5: | C594B792B9C556EA62A30DE541D2FB03 |
| SHA1: | 69E0207515E913243B94C2D3A116D232FF79AF5F |
| SHA-256: | 5DCC1E0A197922907BCA2C4369F778BD07EE4B1BBBDF633E987A028A314D548E |
| SHA-512: | 387BD07857B0DE67C04E0ABF89B754691683F30515726045FF382DA9B6B7F36570E38FAE9ECA5C4F0110CE9BB421D8045A5EC273C4C47B5831948564763ED144 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2560 |
| Entropy (8bit): | 2.8818118453929262 |
| Encrypted: | false |
| SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
| MD5: | A69559718AB506675E907FE49DEB71E9 |
| SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
| SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
| SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 5632 |
| Entropy (8bit): | 4.203889009972449 |
| Encrypted: | false |
| SSDEEP: | 48:SvTmfWvPcXegCWUo1vlZwrAxoONfHFZONfH3d1xCWMBgW2p3SS4k+bkg6j0K:nfkcXegjJ/ZgYNzcld1xamW2pCSKv |
| MD5: | B4604F8CD050D7933012AE4AA98E1796 |
| SHA1: | 36B7D966C7F87860CD6C46096B397AA23933DF8E |
| SHA-256: | B50B7AC03EC6DA865BF4504C7AC1E52D9F5B67C7BCB3EC0DB59FAB24F1B471C5 |
| SHA-512: | 3057AA4810245DA0B340E1C70201E5CE528CFDC5A164915E7B11855E3A5B9BA0ED77FBC542F5E4EB296EA65AF88F263647B577151068636BA188D8C4FD44E431 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VVS8D.tmp\is-SQE6E.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 23312 |
| Entropy (8bit): | 4.596242908851566 |
| Encrypted: | false |
| SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
| MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
| SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
| SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
| SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 673280 |
| Entropy (8bit): | 6.456966952098253 |
| Encrypted: | false |
| SSDEEP: | 12288:CkxzRCUn4rP/37YzHXA6/YUKsGjQNw4qpRRpDWowphIxz:ZFRCUn4rP/37YzHXA6QJsoPtIpqxz |
| MD5: | 7CD12C54A9751CA6EEE6AB0C85FB68F5 |
| SHA1: | 76562E9B7888B6D20D67ADDB5A90B68B54A51987 |
| SHA-256: | E82CABB027DB8846C3430BE760F137AFA164C36F9E1B93A6E34C96DE0B2C5A5F |
| SHA-512: | 27BA5D2F719AAAC2EAD6FB42F23AF3AA866F75026BE897CD2F561F3E383904E89E6043BD22B4AE24F69787BD258A68FF696C09C03D656CBF7C79C2A52D8D82CC |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Program Files (x86)\fnSearcher\fnsearcher68.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 73728 |
| Entropy (8bit): | 6.20389308045717 |
| Encrypted: | false |
| SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
| MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
| SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
| SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
| SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| File type: | |
| Entropy (8bit): | 7.997057951465239 |
| TrID: |
|
| File name: | file.exe |
| File size: | 2881497 |
| MD5: | 9156fa044ec274f670095e43e205d137 |
| SHA1: | 62107d1bd3cb01d59924433f1c8a97c7096d5fb7 |
| SHA256: | 861751b8c762f3332f12c1f4ff45c3108357b1debbde2a07a5e9d44e806ce88d |
| SHA512: | 5bbf3a2d3050cf7994e07cb0b6c5fd5605c095cf7ca2e0d46c5434a248a47f3f2dcf506a63d93efc97d7ce0f8aae8efb21f253cb1a5745da291765295ad0ad9e |
| SSDEEP: | 49152:Z2cj4MkOZSuwjh/SfJe0jMgewii3AY6YlqQB14ZohSzyx60KS1UX/EqA5hq:Mc5kOnwjh/SfJe0Ygew+Yt8i14ahGB0I |
| TLSH: | F5D53372B5A1923AC7900B796CBEE72AFC337D3D112D9A54B6AC530D9C1308B914CB97 |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | a2a0b496b2caca72 |
| Entrypoint: | 0x40991c |
| Entrypoint Section: | CODE |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 1 |
| OS Version Minor: | 0 |
| File Version Major: | 1 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 1 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 884310b1928934402ea6fec1dbd3cf5e |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFCCh |
| push ebx |
| push esi |
| push edi |
| xor eax, eax |
| mov dword ptr [ebp-10h], eax |
| mov dword ptr [ebp-24h], eax |
| call 00007FBBA8AC4AFFh |
| call 00007FBBA8AC5D06h |
| call 00007FBBA8AC7F31h |
| call 00007FBBA8AC7FB8h |
| call 00007FBBA8ACA65Fh |
| call 00007FBBA8ACA7C6h |
| xor eax, eax |
| push ebp |
| push 00409FC6h |
| push dword ptr fs:[eax] |
| mov dword ptr fs:[eax], esp |
| xor edx, edx |
| push ebp |
| push 00409F7Ch |
| push dword ptr fs:[edx] |
| mov dword ptr fs:[edx], esp |
| mov eax, dword ptr [0040C014h] |
| call 00007FBBA8ACB1F0h |
| call 00007FBBA8ACAD7Bh |
| lea edx, dword ptr [ebp-10h] |
| xor eax, eax |
| call 00007FBBA8AC8435h |
| mov edx, dword ptr [ebp-10h] |
| mov eax, 0040CDD4h |
| call 00007FBBA8AC4BB0h |
| push 00000002h |
| push 00000000h |
| push 00000001h |
| mov ecx, dword ptr [0040CDD4h] |
| mov dl, 01h |
| mov eax, 0040719Ch |
| call 00007FBBA8AC8CA0h |
| mov dword ptr [0040CDD8h], eax |
| xor edx, edx |
| push ebp |
| push 00409F5Ah |
| push dword ptr fs:[edx] |
| mov dword ptr fs:[edx], esp |
| call 00007FBBA8ACB260h |
| mov dword ptr [0040CDE0h], eax |
| mov eax, dword ptr [0040CDE0h] |
| cmp dword ptr [eax+0Ch], 01h |
| jne 00007FBBA8ACB39Ah |
| mov eax, dword ptr [0040CDE0h] |
| mov edx, 00000028h |
| call 00007FBBA8AC90A1h |
| mov edx, dword ptr [0040CDE0h] |
| cmp eax, dword ptr [edx+00h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xd000 | 0x950 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x11000 | 0x2800 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xf000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| CODE | 0x1000 | 0x9040 | 0x9200 | False | 0.610980308219178 | data | 6.5386448278888665 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| DATA | 0xb000 | 0x248 | 0x400 | False | 0.3046875 | data | 2.711035285634283 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| BSS | 0xc000 | 0xe34 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0xd000 | 0x950 | 0xa00 | False | 0.414453125 | data | 4.430733069799036 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0xe000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0xf000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.2044881574398449 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .reloc | 0x10000 | 0x8a4 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .rsrc | 0x11000 | 0x2800 | 0x2800 | False | 0.332421875 | data | 4.465850706524941 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x11354 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | Dutch | Netherlands |
| RT_ICON | 0x1147c | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | Dutch | Netherlands |
| RT_ICON | 0x119e4 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | Dutch | Netherlands |
| RT_ICON | 0x11ccc | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | Dutch | Netherlands |
| RT_STRING | 0x12574 | 0x2f2 | data | ||
| RT_STRING | 0x12868 | 0x30c | data | ||
| RT_STRING | 0x12b74 | 0x2ce | data | ||
| RT_STRING | 0x12e44 | 0x68 | data | ||
| RT_STRING | 0x12eac | 0xb4 | data | ||
| RT_STRING | 0x12f60 | 0xae | data | ||
| RT_RCDATA | 0x13010 | 0x2c | data | ||
| RT_GROUP_ICON | 0x1303c | 0x3e | data | English | United States |
| RT_VERSION | 0x1307c | 0x3cc | data | English | United States |
| RT_MANIFEST | 0x13448 | 0x383 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
| DLL | Import |
|---|---|
| kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
| user32.dll | MessageBoxA |
| oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
| advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
| kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
| user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
| comctl32.dll | InitCommonControls |
| advapi32.dll | AdjustTokenPrivileges |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Dutch | Netherlands |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 3, 2022 12:33:53.535412073 CET | 49699 | 80 | 192.168.2.3 | 45.139.105.171 |
| Nov 3, 2022 12:33:53.562572956 CET | 80 | 49699 | 45.139.105.171 | 192.168.2.3 |
| Nov 3, 2022 12:33:53.562913895 CET | 49699 | 80 | 192.168.2.3 | 45.139.105.171 |
| Nov 3, 2022 12:33:53.563388109 CET | 49699 | 80 | 192.168.2.3 | 45.139.105.171 |
| Nov 3, 2022 12:33:53.590500116 CET | 80 | 49699 | 45.139.105.171 | 192.168.2.3 |
| Nov 3, 2022 12:33:55.095246077 CET | 80 | 49699 | 45.139.105.171 | 192.168.2.3 |
| Nov 3, 2022 12:33:55.095343113 CET | 49699 | 80 | 192.168.2.3 | 45.139.105.171 |
| Nov 3, 2022 12:33:55.523766994 CET | 49699 | 80 | 192.168.2.3 | 45.139.105.171 |
| Nov 3, 2022 12:33:55.551086903 CET | 80 | 49699 | 45.139.105.171 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.073425055 CET | 80 | 49699 | 45.139.105.171 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.073540926 CET | 49699 | 80 | 192.168.2.3 | 45.139.105.171 |
| Nov 3, 2022 12:33:57.121674061 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.149096012 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.149339914 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.150227070 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.178580046 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.179069996 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.179179907 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.207458019 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.234786034 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.235316992 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.235409021 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.235416889 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.235436916 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.235454082 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.235461950 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.235471010 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.235479116 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.235487938 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.235501051 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.235503912 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.235519886 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.235526085 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.235536098 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.235552073 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.235574007 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.235599995 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.262746096 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262777090 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262794018 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262810946 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262826920 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262842894 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262859106 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262885094 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262904882 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262922049 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262938023 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262949944 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.262955904 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262973070 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.262989044 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.263000011 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.263005018 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.263022900 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.263031960 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.263045073 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.263052940 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.263067961 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.263088942 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.263089895 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.263113022 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.263118982 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.263150930 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290268898 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290293932 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290309906 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290326118 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290342093 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290359974 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290375948 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290393114 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290409088 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290410042 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290425062 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290440083 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290446043 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290456057 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290469885 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290472031 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290487051 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290498972 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290503025 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290518999 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290522099 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290534973 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290539980 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290551901 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290565968 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290568113 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290585041 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290592909 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290600061 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290615082 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290621042 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290632010 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290648937 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290652037 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290664911 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290679932 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290679932 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290695906 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290708065 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290712118 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290729046 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290731907 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290744066 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290750980 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290760040 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290776014 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290779114 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290791988 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290803909 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290807009 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290822983 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290829897 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290838957 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290853977 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290858984 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290869951 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290899038 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290899038 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290899038 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290915966 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.290915966 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290935040 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.290951014 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.318208933 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.318253040 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.318278074 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.318300962 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.318372965 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.318402052 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:33:57.383362055 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:33:57.410640001 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.410736084 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:33:57.411223888 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:33:57.438211918 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.938071012 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:33:57.938186884 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:00.034480095 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:00.061619997 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:00.565181017 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:00.565382957 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:02.078538895 CET | 80 | 49699 | 45.139.105.171 | 192.168.2.3 |
| Nov 3, 2022 12:34:02.078775883 CET | 49699 | 80 | 192.168.2.3 | 45.139.105.171 |
| Nov 3, 2022 12:34:02.295145988 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.3 |
| Nov 3, 2022 12:34:02.295361996 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:34:03.660644054 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:03.687911034 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:04.260761023 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:04.260875940 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:06.344116926 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:06.374646902 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:06.911602974 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:06.911806107 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:09.062948942 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:09.090150118 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:09.609028101 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:09.609186888 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:11.679198027 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:11.706363916 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:12.214044094 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:12.214226007 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:14.298182964 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:14.326365948 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:14.884565115 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:14.884738922 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:17.016792059 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:17.043915987 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:17.638432980 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:17.638603926 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:19.940105915 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:19.967199087 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:20.476928949 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:20.477072001 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:23.048970938 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:23.078990936 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:23.603485107 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:23.606142998 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:25.692823887 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:25.720146894 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:26.244364977 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.3 |
| Nov 3, 2022 12:34:26.247241020 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
| Nov 3, 2022 12:34:30.115322113 CET | 49700 | 80 | 192.168.2.3 | 107.182.129.235 |
| Nov 3, 2022 12:34:30.115408897 CET | 49699 | 80 | 192.168.2.3 | 45.139.105.171 |
| Nov 3, 2022 12:34:30.115590096 CET | 49701 | 80 | 192.168.2.3 | 171.22.30.106 |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.3 | 49699 | 45.139.105.171 | 80 | C:\Program Files (x86)\fnSearcher\fnsearcher68.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Nov 3, 2022 12:33:53.563388109 CET | 100 | OUT | |
| Nov 3, 2022 12:33:55.095246077 CET | 100 | IN | |
| Nov 3, 2022 12:33:55.523766994 CET | 101 | OUT | |
| Nov 3, 2022 12:33:57.073425055 CET | 101 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.2.3 | 49700 | 107.182.129.235 | 80 | C:\Program Files (x86)\fnSearcher\fnsearcher68.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Nov 3, 2022 12:33:57.150227070 CET | 102 | OUT | |
| Nov 3, 2022 12:33:57.179069996 CET | 102 | IN | |
| Nov 3, 2022 12:33:57.207458019 CET | 103 | OUT | |
| Nov 3, 2022 12:33:57.235316992 CET | 104 | IN |